It’s well known that SSL encrypting of your website leads to higher search rankings and better security for your users. However, there are a number of barriers that have prevented website owners from adopting SSL.

Two of the biggest barriers have been the cost and the manual processes involved in getting a certificate. But now, with Let’s Encrypt, this is no longer a concern. Let’s Encrypt makes SSL encryption freely available to everyone.

Let’s Encrypt is a free, automated, and open certificate authority. Yes, that’s right: SSL/TLS certificates for free. Certificates issued by Let’s Encrypt are trusted by most browsers today, including older browsers, such as Internet Explorer on Windows XP SP3. In addition, Let’s Encrypt is fully automated for both issuing and renewing certificates.

In this blog post, we’ll cover how to use the Let’s Encrypt client to generate RSA certificates and automatically configure NGINX to use the newly issued certificates.

How Let’s Encrypt Works

Before issuing a certificate, Let’s Encrypt first validates ownership of your domain. The Let’s Encrypt client, running on your host, creates a temporary file (a token) with the required information in it. The Let’s Encrypt validation server then makes an HTTP request to retrieve the file and validates the token, which verifies that the DNS record for your domain resolves to the server running the Let’s Encrypt client.

Prerequisites

Before starting with Let’s Encrypt, you’ll need a few prerequisites:

Have NGINX or NGINX Plus installed.

Own or control a registered domain name for the certificate. If you don’t have a registered domain name, you can use a domain name registrar, such as GoDaddy, dnsexit, etc.

Create a DNS record that points your domain name to your server’s public IP address.

2. Set up NGINX

Certbot can automatically configure SSL with NGINX by finding the correct server block in the NGINX configuration. Certbot will look for the server_name directive in the server block that matches the domain name you’re requesting a certificate for. We’ll be using www.example.com as the domain in this tutorial.

Assuming you’re starting with a fresh NGINX install, create a configuration file named www.example.com.conf in the /etc/nginx/conf.d directory

1

$nano/etc/nginx/conf.d/www.example.com.conf

Enter your domain name in the server_name directive in a server block

1

2

3

4

5

server{

listen80default_server;

listen[::]:80default_server;

server_name example.com www.example.com;

}

Save the file, verify the syntax of your configuration edits, and restart NGINX

1

$nginx-t&&nginx-sreload

3. Obtain the SSL certificate

Certbot has various plugins to generate SSL certificates. The NGINX Plugin will take care of re-configuring NGINX and reloading the configuration whenever necessary.

To generate SSL certificates with the NGINX plugin, run the following command:

1

$sudo certbot--nginx-dexample.com-dwww.example.com

Once the process has completed successfully, certbot will prompt you to configure your HTTPS settings, which includes entering your email address and agreeing to the Let’s Encrypt terms of service.

Once that’s completed, NGINX will reload with the new settings. Certbot will output a message stating that the SSL certificate generation is successful, along with the location of the certificate on your server.

4. Automatic Renewal of Let’s Encrypt Certificates

Let’s Encrypt certificates expire in 90 days. We encourage you to automatically renew your certificates when they expire. We’ll set up a cron job to do this.

We start by opening a file called crontab…

1

$crontab-e

…and we enter the certbot command we wish to run daily. In this blog post, we run the command every day at noon. The command will check to see if the certificate on the server is expired, and renew it if it is.

1

012***/usr/bin/certbot renew--quiet

Close the cron tab, and now all installed certificates will be automatically renewed and reloaded. The --quiet directive tells certbot not to output information.

Summary

We’ve installed the Let’s Encrypt agent to generate SSL certificates for a registered domain name. We’ve configured NGINX to use SSL certificates, and we’ve set up automatic certificate renewals. Now, you can set up Let’s Encrypt with NGINX, and have a simple, secure website up and running within minutes.